microsoftfandomcom-20200223-history
Microsoft Account
Windows Live ID (originally Microsoft Wallethttp://support.microsoft.com/kb/243524, Microsoft Passport,Microsoft Passport: Streamlining Commerce and Communication on the Web, .NET Passport, then briefly Microsoft Passport Network) is a single sign-on service developed and provided by Microsoft that allows users to log in to many websites using one account. The service is commonly referred to as "MSN", because many services incorporating the Passport/Live ID are or were previously branded with the MSN brand. Product overview Most of the web sites and applications that use Windows Live ID are Microsoft sites, services, and properties such as Hotmail, MSNBC, MSN, Xbox 360's Xbox Live, the .NET Messenger Service, Zune or MSN subscriptions, but there are also several other companies affiliated with Microsoft that use it, such as Hoyts. Users of Hotmail or MSN automatically have a Windows Live ID that corresponds to their accounts. Most recently, user login data has started to allow demographic targeting by advertisers using Microsoft adCenter. Microsoft's Windows XP has an option to link a Windows user account with a Windows Live ID (appearing with its former names), logging users into Windows Live ID whenever they log into Windows. Windows Live ID Web Authentication On August 15, 2007, Microsoft released the Windows Live ID Web Authentication SDK, enabling web developers to integrate Windows Live ID into their websites running on a broad range of web server platforms - including ASP.NET (C#), Java, Perl, PHP, Python and Ruby.LiveSide.net: Windows Live ID Web Authentication Is Final 2007-07-16Live ID Team blog announcement: Windows Live ID Web Authentication SDK for Developers Is Released 2007-07-15 Windows Live ID support for Windows CardSpace The Windows Live ID login page presents users with the existing option to sign in with the usual Windows Live ID username/password credentials, or the alternative - to sign in using Windows CardSpace. Windows Live ID account owners can enable integration with Windows CardSpace (a component of the .NET Framework versions 3.0 and 3.5) by selecting an Information Card from the Windows CardSpace selector UI to link to their Windows Live ID. This CardSpace identity then becomes the alternate login credentials for that account, replacing the need for a password. LiveSide.net: CardSpace (InfoCard) and Live ID 2007-07-02 Windows Live ID support for OpenID On October 27, 2008, Microsoft announced that it was publicly committed to supporting the OpenID framework, with Windows Live ID becoming an OpenID provider.Windows Live ID Becomes an OpenID Provider This would allow users to use their Windows Live ID to sign-in to any website that supports OpenID authentication. Technical overview A new user entering a commerce server will first be redirected to the nearest authentication server, which asks for username and password over an SSL-secured connection, unless the user can present a valid GLOBALAUTH-cookie. In return, a newly accepted user (a) has an encrypted time-limited GLOBALAUTH-cookie stored on his computer and (b) receives a triple DES encrypted ID-tag that previously has been agreed upon, between the authentication and the commerce server. This ID-tag is then sent to the commerce server, upon which the commerce server plants an encrypted LOCALAUTH-cookie in the user’s computer, also time-limited. The presenting of these LOCAL and GLOBAL cookies to various commerce and authentication servers prevents the need for authentication within the time of validity, as in the Kerberos protocol. If the user actively logs out of Windows Live ID, these cookies will be removed; however, users are often confused by other commerce server logout functions, and unintentionally leave these cookies intact. The service depends on users allowing their browsers to ship cookies to servers other than the one they originated from. Problems Windows Live ID is used by many services to prove ownership of a user's e-mail address. On June 17, 2007, Erik Duindam, a web developer in the Netherlands reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address."http://www.erikduindam.com/windowslive.pdf "Windows Live ID security breached" on erikduindam.com A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link is sent to the user. Before using it however, the user was allowed to change the e-mail address to one that doesn't exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007.Microsoft Windows Live Flaw Opened Door to Scammers History Microsoft Passport, the predecessor to Windows Live ID, was originally positioned as a single sign-on service for all web commerce. Microsoft Passport had received much criticism. A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft's Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems. In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee to Network Solutions. The oversight made Hotmail, which used the site for authentication, unavailable on Christmas Eve, December 24. A Linux consultant, Michael Chaney, paid it the next day (Christmas), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning. In Autumn 2003, a similar good Samaritan helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted. In 2001, the Electronic Frontier Foundation's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information.Privacy terms revised for Microsoft Passport The privacy terms were quickly updated by Microsoft to allay customers' fears. In 2003, Faisal Danka,Faisal Danka a British IT Security expert, revealed a serious flaw in Microsoft Passport, through which any account linked to Microsoft Passport or Hotmail could easily be cracked by using any common browser. Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system. Examples of sites that used Microsoft Passport were eBay and Monster.com, but in 2004 those agreements were cancelled.Microsoft Passport Dumped By Ebay In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID. See also * Liberty Alliance * OASIS (organization) * Xbox Live * OpenID, Yadis, Light-Weight Identity - URL-based identity protocols * Windows CardSpace * Windows Live * Games for Windows – Live References External links * Introduction to Windows Live ID whitepaper — Provides a brief overview of the Windows Live ID service in the context of Microsoft's overall identity strategy. * Understanding Windows Live Delegated Authentication whitepaper — Describes how a Web site can use the Windows Live ID Delegated Authentication system to get permission to access users' information on Windows Live services. * Windows Live ID Federation whitepaper — Describes the concept of identity federation and offers considerable detail about how the Windows Live ID service supports it. * Windows Live ID blog – Microsoft’s official blog for Windows Live ID * Windows Live ID Developer portal * Microsoft Passport Network web site * Windows Live ID on mobile it:Windows Live ID ru:Windows Live ID Category:Identity management systems ID